Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

Video Game Glitches Discussion

Family Basic cart-swap arbitrary code execution (Famicom (NES) games) - Page 1

Family Basic cart-swap arbitrary code execution (Famicom (NES) games)

Posted by: Torchickens
Date: 2019-06-06 10:50:56
Based on an article about video game localization.
https://legendsoflocalization.com/super-mario-bros/misc/

Basically for Famicom owners, this could be a free GameShark.


Fans quickly discovered another way to do this 256 Worlds trick: use Family BASIC to alter memory addresses directly. The trick for this was:

Connect the Famicom and the Famicom BASIC
Insert the backup cartridge and turn the power on
Bring up the menu screen using the keyboard, then press 1 on the keyboard to start BASIC
Enter the code written below
Press F8 to run the program
Where it says WORLD=?, type the number of the world you want to play and hit Return
Once it says OK on the screen, eject the backup cartridge with the system still on
Insert the Super Mario Bros. cartridge
Reset the game
Use the continue code at the title screen hold A and press Start
Youre now at the world you selected!
The BASIC code is this:

10 FOR I=&H7D3 TO &H7DC:POKE I,0:NEXT
20 POKE &H7FF,&HA5
30 INPUT "WORLD=";A
40 POKE &H7FD,A+255AND255"


Thoughts?

NES/Famicom cart-swap arbitrary code execution

Posted by: Torchickens
Date: 2019-06-06 12:38:25
Melodic Evie the Bird Mother ❤ 🦉Today at 6:07 PM
It's taking a long time for me to load so you might not be alone. Managed to save an archived copy of my post though. One moment
[GCL went down for a short time so I sent Ganix a screenshot of the top post]

However, virtually all of the information is in that Legends of Localization link
Basically, you can do it with Tennis steps and Super Mario Bros. to access 256 worlds.
However with Family Basic (which is not the basic way) you may be able to write RAM to any game you want.
I don't actually know whether Nintendo intended this all along, but Family Basic (official software) is ancient
If this helps https://www.ebay.co.uk/itm/FAMILY-BASIC-Asobo-Famicom-Nintendo-Program-Game-Guide-Book-Brand-New-Japan-RARE/303039786540?hash=item468e942e2c:g:2xEAAOSwTuJYq~IG
eBay
FAMILY BASIC Asobo Famicom Nintendo Program Game Guide Book Brand …
Book Title. 87 Pages (No Missing Page).

GanixToday at 6:10 PM
Do you think it'll work in an American NES? =o
Melodic Evie the Bird Mother ❤ 🦉Today at 6:10 PM
You can find some scans in that listing
Maybe :o, they may have of course patched it out though.
Hope not though -_-
This is the link I mentioned in that screenshot https://legendsoflocalization.com/super-mario-bros/misc/
Legends of Localization
Clyde Mandelin
Legends of Localization: Super Mario Bros. Translation Comparison:…
You know the infamous Minus World? Well, screw that! Japan got hundreds of secret worlds!

GanixToday at 6:12 PM
Idk if I have tennis, lemme check
Heck, we don't have Tennis ;w;
Melodic Evie the Bird Mother ❤ 🦉Today at 6:13 PM
Aww sucks :(
I guess an educated assumption may be the RAM for tennis steps is the same address for the Super Mario Bros. saved world
Maybe we can use Datacrystal to find out
GanixToday at 6:15 PM
I mean, it definitely might be intentional, didn't they plan to do a swappy thing with the N64? =o
Melodic Evie the Bird Mother ❤ 🦉Today at 6:16 PM
I didn't no actually, nice! Can you tell me more please?
GanixToday at 6:16 PM
One sec~
Melodic Evie the Bird Mother ❤ 🦉Today at 6:16 PM
Thanks
I remember MrWint did Stadium ACE though
No, cheese guy forgot his name sorry
(Yeah, that one was via Transfer Pak https://www.youtube.com/watch?v=Bb0v-VDsBkQ )
YouTube
MrCheeze
Arbitrary Code Execution in Pokemon Stadium (first ever N64 ACE!)

Idea  https://datacrystal.romhacking.net/wiki/Super_Mario_Bros.:RAM_map In Super Mario Bros. 0x002A-0x0032    Hammers (correspond with last 9 hitbox coordaintes, 0x04D0-0x04F3), when not 0
Then we have https://datacrystal.romhacking.net/wiki/Castlevania_II:RAM_map RAM 0x31 is lives.
GanixToday at 6:25 PM
Heck I can't find it yet, but it was an interview with Greg Kirkhope, he said they scrapped Stop'n'Swop at the last minute because of a hardware revision in the N64 that reduced the amount of time that the system retains data in memory from 10 seconds down to 1 second. =X
Melodic Evie the Bird Mother ❤ 🦉Today at 6:30 PM
Ah, wow! Umm was it planned for Banjo Kazooie and Tooie https://banjokazooie.fandom.com/wiki/Stop_%27n%27_Swop
Banjo-Kazooie Wiki
Stop_%27n%27_Swop
Of all the secrets and mysteries in the Banjo-Kazooie series, none are more tantalizing or more talked about than Stop'n' Swop. More rumors have circulated about it than about the large doors at…

I have another idea as well (but it's like running before walking), but if we can do the cart-swap maybe it may give something useful. The Mobile System GB exists for Japanese Game Boy Colors/Game Boy Advance. But there was also an online Famicom service called the Famicom Network System. It wasn't meant for games, rather the stock market and information. But we could maybe change that.
https://en.wikipedia.org/wiki/Family_Computer_Network_System
Family Computer Network System
The Family Computer Network System (Japanese: , Hepburn: Famirī Konpyūta Nettowāku Shisutemu), also known as the Famicom Net System or Famicom Modem, is a video game peripheral for Nintendo's Family Computer, …

Virtually no one knows all of the titles its that obscure, but I made a list because I'm into general Nintendo too
http://www.niwanetwork.org/wiki/List_of_Famicom_Network_System_software
List of Famicom Network System software